Re: System32.exe XP? is this a virus

From: Doug Knox MS-MVP (dknox@mvps.org)
Date: 04/25/03 

From: "Doug Knox MS-MVP" <dknox@mvps.org>
Date: Thu, 24 Apr 2003 23:56:12 -0400

This is not a Windows file. The command to run it is a left over remnant
from a virus.

http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.c.worm.html

For automated removal of the remnants of this virus, see www.dougknox.com,
Win XP Fixes, Clean KWBot.Worm Registry Entries. 

-- 
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Associate Expert
ExpertZone - http://www.microsoft.com/windowsxp/expertzone
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
"Taj" <tajno1@yahoo.co.uk> wrote in message
news:042a01c30ac6$15dc0910$a101280a@phx.gbl...
> lol! thanks again Earl. What are the chances! lol
>
> okay so if i go to that reg clear place u said then the
> message will sop popping up at startup?
>
> >-----Original Message-----
> >
> >"Taj" <tajno1@yahoo.co.uk> wrote in message
> >news:033d01c30ac0$3915e280$a301280a@phx.gbl...
> >> Previous post i wrote:
> >>
> >> "When starting the PC to the desktop screen a message
> box
> >> titled "C:\WINDOWS\System32\system32.exe" appears
> saying:
> >>
> >>  "Windows cannot find 'C:\WINDOWS\System32
> \system32.exe'.
> >> Make sure you typed the name correctly, and then try
> >> again. To search for a file, click the Strt button, and
> >> then click Search."
> >>
> >> I then have the option of clicking "OK". This occurs
> >> everytime at start up now even though i don't remember
> >> making a search for that file and i don't reme,ber
> >> deleting it at anypoint."
> >>
> >> Well a guy named Earl said this may be
> >> a "W95.Smoker.Worm@mm" virus. I have some questions:
> >>
> >> 1)Reputable antivirus sites say this type of virus uses
> >> the system32.exe file to start itself. I have been told
> >> XP doesn't have a system32.exe file. Does this mean i
> >> have the virus or not since the key file for the virus
> to
> >> work isnt on XP. I think this virus was meant for
> >> previous windows that had the system32.exe file.
> >>
> >> 2)There are many similar but DIFFERNT viruses like this
> >> with different methods of removal involving the
> Registry
> >> Keys. Since im not even sure if i have the virus
> should i
> >> bother to follow the antivirus removal instructions.
> >>
> >> 3)If i should go through with removal- how do i choose
> >> which type of virus i have. since the virus has not
> >> executed properly (no system32.exe file-hence the
> reason
> >> for the message at startup), i cannot tell what the
> >> symptoms are . If i cant see the symptoms i cant
> identify
> >> what virus type i have, therfore i dont know how to
> >> remove it. HOWEVER like i say, there seems to be no
> >> symptoms other than this startup message box which
> >> implies the virus hasnt actually exectued yet , in
> which
> >> case....
> >>
> >> 4) is there a way to remove the message that i recieve
> at
> >> startup
> >>
> >> PHEW ! thanks for reading this far! lets see whos the
> >> first to understand this one.....
> >>
> >> Taj
> >
> >The guy named Earl say that worms and virus often give
> themselves
> >names similar to authentic Windows files to discourage
> people from
> >deleting them or they place them in a different folder
> from the
> >authentic file with the same name.  Some of the favorite
> names have
> >"system" or "32" somewhere in the name.  One worm is
> called
> >"Iexplorer.Exe" while the authentic file is
> called "Iexplore.Exe."
> >Many people would have deleted the authentic file and
> kept the fake
> >if they could.
> >
> >You can go to
> http://www.vtoy.fi/jv16/shtml/software.shtml and
> >download RegCleaner 4.3 which makes it easier to remove
> lines in the
> >Registry.  It also backs up the delete in case you make
> a mistake.
> >
> >-- 
> >Earl F. Parrish
> >
> >.
> >